Windows 10 face authentication can be fooled with a printed photograph

Keeping your devices up to date with the latest software is always a good idea, because along with added features and bug fixes, new software also often includes security updates that keep you safe from intruders. Such is the case with Windows 10, as security researchers from German firm SySS discovered recently that Windows 10 systems that have yet to receive the Fall Creators Update are vulnerable to a spoofing attack using a printed photo.

In a report, the firm claims that it was able to defeat the Windows Hello facial authentication system with a modified printed photograph of the authorized user. SySS researchers were able to bypass the security feature on both a Dell Latitude laptop and Microsoft’s own Surface Pro 4, which has “enhanced anti-spoofing” as well.

Thankfully, as you can see in the video demonstration below, the bypass would be extraordinarily difficult for anyone to accomplish. The attacker not only needs a modified headshot of the user, but also needs physical access to the device itself. That said, a security flaw is a security flaw, and it definitely needs to be addressed.

Interestingly, even after applying the Fall Creators Update, SySS was still able to use the photo to access the test devices. The only way to ensure that your device is safe from this flaw is to update to the latest version of Windows 10, enable the “enhanced anti-spoofing” feature and reconfigure Windows Hello from scratch.

“If only the Windows 10 operating system is updated from a vulnerable version like 1607 to the latest revision of 1709 without newly setting up Windows Hello Face Authentication, the simple spoofing attack still works,” warns the firm. So if your computer supports Windows Hello, update and reconfigure ASAP.